Lesson 13 Securing Web Services (WS-Security, SAML)
|
|
- Egbert Woods
- 6 years ago
- Views:
Transcription
1 Lesson 13 Securing Web Services (WS-Security, SAML) Service Oriented Architectures Module 2 - WS Security Unit 1 Auxiliary Protocols Ernesto Damiani Università di Milano
2 <CipherData> element This element stores or refers to the encrypted data: <CipherValue> container for binary encrypted data <CipherReference> reference to an URL of the encrypted data. Can include a pipeline of Transform elements like XML Signature, that specify how to filter the referenced data before it is decrypted
3 <KeyInfo> element (1) Describe the key used to encrypt the data Whereas in XML Signature, this is usually a public key, in XML Encryption this is usually a shared encryption key In general, public keys can be safely included with a message. Instead, it is not safe to embed shared keys!!
4 <KeyInfo> element (2) XML Encryption provides several mechanisms to agree/retrieve the decryption key: Key is omitted (out-of-band) Key is referenced: <KeyName> <RetrievalMethod>. These elements are used to identify which of the secret keys (shared between the parties) should be used and how the shared key should be retrieved. With them, the same key can be used to encrypt different parts of the same document. Key is regenerated:<agreementmethod> Key is included in encrypted form: <EncryptedKey>
5 Sharing keys within the same message It is possible to reuse the same <EncryptedKey> element to decrypt multiple <EncryptedData> elements
6 Using XML Encryption (1) Encryption Process 1. Choose an algorithm (3DES, AES) 2. Choose a key and define how to represent it Key is generated or looked up Key is omitted from the message Key is described in the <KeyInfo> section 3. Serialize the XML data to a byte stream Element (with tags) Content (tags omitted)
7 Using XML Encryption (2) 4. Encrypt the byte stream 5. Encode the result in the <CipherData> element 6. Build the <EncryptedData> element with the information required to decrypt it
8 Using XML Encryption (3) Decryption Process 1. Determine algorithm (3DES, AES) 2. Determine key Key and algorithm could be agreed upon in advance If Key is encrypted, decrypt it (this is recursive) 3. Decrypt key CipherValue (decode the embedded Base-64 byte stream) CipherReference (dereference the URI and apply the specified Transforms before the data is decrypted)
9 Using XML Encryption (4) 4. Process XML content: parse the serialized XML and substitute the original <EncryptedData> element with the decrypted XML element (or content) 5. Process non-xml content described by the MimeType and Encoding attributes of the <EncryptedData> element
10 Using XML Encryption together with XML Signature
11 XML Signature and XML Encryption Message Confidentiality and Integrity are both important requirements of a secure message exchange XML Signature and XML Encryption have been designed to work together to achieve this Problem: in which order should they be applied? Sign or encrypt first? Encryption metadata is sent in clear. If not signed, encrypted data/metadata could be corrupted by an attacker to prevent decryption of the message. If signatures are sent in the clear, attackers could strip them from a message or replace them entirely without the recipient noticing.
12 Example 1: Encrypt the signed data (1)
13 Example 1: Encrypt the signed data (2) The signature is hidden inside the encrypted XML The order is clear: 1. Decrypt; 2. Verify signature Problem: the Encryption metadata is not protected with a signature
14 Example 2: Sign the encrypted data
15 Decrypt Transform in XML Signature (1) When a message is received, it may not be clear in which order signature validation and decryption should be applied To make the order of encryption and signature explicit, the Decrypt transform has been added to the XML signature standard This transform is used to distinguish whether the signature applies to the <EncryptedData> or to the decrypted data.
16 Decrypt Transform in XML Signature (2) The XML Signature processor will decrypt all referenced <EncryptedData> elements except the one identified by the <Except> element With this solution, default processing always applies decryption before signature verification; unless such transform is specified by the sender
17 WS-Security
18 WS-Security overview (1) The WS-Security standard applies XML security (XML Encryption and XML Signature) to implement secure SOAP message exchange across multiple and independent trust domains Goals: security at the message level (end-to-end) Solution: apply encryption and signatures within a SOAP message independent of the transport. Parts of the message body can be encrypted, signatures are stored in the header
19 WS-Security overview (2) WS-Security features support for: multiple signature technologies multiple encryption technologies multiple security token formats OASIS standard, April 2004
20 Message Security vs. Transport Security (1) Message Security Disadvantages Immature standards only partially supported by existing tools Securing XML is complicated Advantages Different parts of a message can be secured in different ways. Asymmetric: different security mechanisms can be applied to request and response Self-protecting messages (Transport independent)
21 Message Security vs. Transport Security (2) Transport Security Disadvantages Point 2 Point: the complete message is in clear after each hop Symmetric: request and response messages must use same security properties Transport specific Advantages Widely available, mature technologies (SSL, TLS, HTTPS) Understood by most system administrators
22 Protecting SOAP messages Security Threats to a SOAP message: a message could be read by an attacker a message could be modified by an attacker a message could be sent by an attacker To address these threats, WS-Security applies a combination of: 1. encryption (Ensure the confidentiality of the message) 2. signatures (Verify the origin and the integrity of a message) 3. security Tokens (Authorize the processing of the message based on the credentials associated with the message) Messages with invalid signatures and incorrect or missing tokens are rejected
23 A secure SOAP message
24 Security Tokens (1) WS-Security supports a variety of authentication and authorization mechanisms by including the corresponding tokens into the Security header of the message: Simple Tokens Username/Clear Password Username/Password Digest Binary Tokens X.509 certificates Kerberos
25 Security Tokens (2) XML Tokens SAML assertions XrML (extensible Rights Markup Language) XCBF (XML Common Biometric Format) Token reference WS-SecureConversation
26 Security Tokens and Identity (1) A security token can be used to claim the identity of the source of a message Username/PasswordText is the simplest token used to convey identify but it is also not secure (SOAP messages should not contain passwords in clear) Username/PasswordDigest deals with this problem:
27 Security Tokens and Identity (2) To produce the digest, the password is hashed together with a timestamp and a nonce Protection against reply attacks The server must store the plain-text password
28 Security Tokens and Authentication (1) A security token can be signed to authenticate a claim made by the sender of the message Signatures associated with tokens can be verified by the recipient to authenticate the identity of the sender
29 Security Tokens and Authentication (2) Example: X509 certificates (public keys) should be signed in order to provide authentication of the sender (proof of possession of the corresponding private key)
30 Federated Security Domains (1) Different systems may belong to different security domains that use different security mechanisms and policies Although SOAP enables interoperability between these systems, the translation of security metadata between different domains remains a problem WS-Security is a first step towards providing standardized syntax and semantics for representing security information
31 Federated Security Domains (2) WS-Trust adds a standard interface for a security token service provider used to: Issue and Renew Security Tokens to be attached to a SOAP message with WS-Security Validate Security Tokens from a different domain Translate Security Tokens across domains that share a trust relationship (WS-Federation)
32 Putting it all together
33 WS-SecureConversation (1) The security handshake involving the creation of tokens and their validation may impose a high performance overhead WS-SecureConversation defines a shared security context to be reused across the exchange of multiple messages The same combination of security credentials (authentication, authorization) and encryption keys can be reused
34 WS-SecureConversation (2) Once the conversation is established, the requester and the service share a secret: the client does not have to include the security metadata for each message the service does not have to revalidate the same tokens for each message This is implemented using a special token: <SecurityContextToken>
35 SAML (Security Assertion Markup Language)
36 SAML overview (1) The Security Assertion Markup Language (SAML) predates WS-Security, as it was standardized at OASIS in November 2002 (v1.0), August 2003 (v1.1), March 2005 (v2.0) Goal: enable loosely coupled identity management Solution: define a format and protocol for interoperable exchange of security information (or assertions) about subjects (human users or computer systems) that have to be identified within a certain security domain
37 SAML overview (2) Use cases supported by standard profiles: Single Sign On (SSO) and Single Logout Identity Federation Privacy-preserving identification Securing Web service messages: SAML assertions are used as WS-Security tokens. SAML also defines protocol for clients to request assertions from SAML authorities and for services to verify assertions with trusted SAML authorities
38 Portable and Federated Identity (1) SAML enables Single Sign On and the transfer of identity credentials across different trust domains Credentials established at the initial service, where the user is authenticated, are forwarded to other services that can trust them
39 Portable and Federated Identity (2) This is done without a centralized authentication registry that should be shared and trusted by everyone (example: Project Liberty)
40 SAML concepts (1) SAML uses XML to describe security assertions that can be understood across security domains SAML defines a standard protocol to generate, exchange and process assertions SAML bindings map how a SAML document is transported: SAML requires HTTPS SAML can be used inside SOAP messages to represent WS- Security tokens.
41 SAML concepts (2) SAML Assertions and the corresponding protocols are used for: Authentication: verification of identity credentials Attributes: information associated with subjects (e.g., the user address or it s the current balance status of the account) Authorization: grant (or deny) access to a resource for an authenticated subject. (As of SAML 2.0, this feature uses XACML). Custom assertions
42 SAML Assertion Metadata Example
43 Authentication Assertions (1) An Authentication Assertion Statement is produced by an authentication authority (issuer) to claim that: a subject (with some identification) with a certain method (or context class) at a certain time was successfully identified
44 Authentication Assertions (2) Depending on the method, the authentication assertion can be trusted with a certain level of confidence to represent the digital identity of the subject for some period of time
45 Authentication Methods (1) To describe how a subject identity was authenticated, SAML 2.0 defines the following authentication context classes: Internet Protocol Address UserName/Password over HTTP or HTTPS Secure Remote Password IP Address and Username/Password SSL/TLS Certificate Based Client Authorization Kerberos Ticket Public Key (X.509, PGP, SPKI, XML Signature)
46 Authentication Methods (2) Telephone Number Smartcard: One Factor, Two Factor Mobile: One Factor, Two Factor Previous Session Unspecified
47 Attribute Assertions An authority asserts that the subject is associated with the specified attributes: SAML profiles show how to apply attributes to standardize access to directories of user attribute information: LDAP/X.500 DCE PAC (Privilege Attribute Certificate) XACML (extensible Access Control Markup Language) Additionally, attributes can model accounting related information: what is the credit amount left in the account or the payment status for a user
48 SAML Protocols
49 Putting it all together
50 XACML (extensible Access Control Markup Language)
51 XACML overview (1) Goal: represent access control policies in XML Solution: define an XML schema for representing authorization rules to grant (or refuse) subjects the access to target resources to perform specific actions. Features: fine grained control: targets referenced using URLs consistent with and building upon SAML
52 XACML overview (2) Benefits interoperability of different security tools (Migration of rules through import/export) uniform way to specify access control policies reuse of generic access control service enable the consolidation of access control policies across the enterprise: centralization reduces costs OASIS Standard released February 2003 (v1.0), August 2003 (v1.1) and March 2005 (v2.0)
53 What is Access Control? Authorization is the permission granted to a subject to perform some action on some target resource Rights management tools control whether a subject is granted the authorization rights Access rights can be granted to individual subjects, but also to groups of subjects (or roles)
54 XACML Rule Example (Simplified)
55 XACML architecture XACML works together with SAML to implement an authorization authority FINE
Network Security Essentials
Network Security Essentials Fifth Edition by William Stallings Chapter 4 Key Distribution and User Authentication No Singhalese, whether man or woman, would venture out of the house without a bunch of
More informationNational Identity Exchange Federation. Web Services System- to- System Profile. Version 1.1
National Identity Exchange Federation Web Services System- to- System Profile Version 1.1 July 24, 2015 Table of Contents TABLE OF CONTENTS I 1. TARGET AUDIENCE AND PURPOSE 1 2. NIEF IDENTITY TRUST FRAMEWORK
More informationChapter 17 Web Services Additional Topics
Prof. Dr.-Ing. Stefan Deßloch AG Heterogene Informationssysteme Geb. 36, Raum 329 Tel. 0631/205 3275 dessloch@informatik.uni-kl.de Chapter 17 Web Services Additional Topics Prof. Dr.-Ing. Stefan Deßloch
More informationIdentity-Enabled Web Services
Identity-Enabled s Standards-based identity for 2.0 today Overview s are emerging as the preeminent method for program-toprogram communication across corporate networks as well as the Internet. Securing
More informationDatapower is both a security appliance & can provide a firewall mechanism to get into Systems of Record
1 2 3 Datapower is both a security appliance & can provide a firewall mechanism to get into Systems of Record 5 White boxes show the access points for different kinds of security. That s what we will
More informationWeb Services Introduction WS-Security XKMS
Web Service Security Wolfgang Werner HP Decus Bonn 2003 2003 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Agenda Web Services Introduction
More informationWeb Services, ebxml and XML Security
Web Services, ebxml and XML Security Dr David Cheung Director Center for E-Commerce E Infrastructure Development Electronic Commerce Models Business to Customer (B2C) Convenient access to services Business
More informationLesson 3 SOAP message structure
Lesson 3 SOAP message structure Service Oriented Architectures Security Module 1 - Basic technologies Unit 2 SOAP Ernesto Damiani Università di Milano SOAP structure (1) SOAP message = SOAP envelope Envelope
More informationDigital Certificates Demystified
Digital Certificates Demystified Ross Cooper, CISSP IBM Corporation RACF/PKI Development Poughkeepsie, NY Email: rdc@us.ibm.com August 9 th, 2012 Session 11622 Agenda Cryptography What are Digital Certificates
More informationKEY DISTRIBUTION AND USER AUTHENTICATION
KEY DISTRIBUTION AND USER AUTHENTICATION Key Management and Distribution No Singhalese, whether man or woman, would venture out of the house without a bunch of keys in his hand, for without such a talisman
More informationEnterprise SOA Experience Workshop. Module 8: Operating an enterprise SOA Landscape
Enterprise SOA Experience Workshop Module 8: Operating an enterprise SOA Landscape Agenda 1. Authentication and Authorization 2. Web Services and Security 3. Web Services and Change Management 4. Summary
More informationIdentität und Autorisierung als Grundlage für sichere Web-Services. Dr. Hannes P. Lubich IT Security Strategist
Identität und Autorisierung als Grundlage für sichere Web-Services Dr. Hannes P. Lubich IT Security Strategist The Web Services Temptation For every $1 spent on software $3 to $5 is spent on integration
More informationSOA S90-20A. SOA Security Lab. Download Full Version :
SOA S90-20A SOA Security Lab Download Full Version : https://killexams.com/pass4sure/exam-detail/s90-20a protocol. Before invoking Service A, Service Consumer A must request a ticket granting ticket and
More informationThis chapter examines some of the authentication functions that have been developed to support network-based use authentication.
1 This chapter examines some of the authentication functions that have been developed to support network-based use authentication. In most computer security contexts, user authentication is the fundamental
More informationRealMe. SAML v2.0 Messaging Introduction. Richard Bergquist Datacom Systems (Wellington) Ltd. Date: 15 November 2012
RealMe Version: Author: 1.0 APPROVED Richard Bergquist Datacom Systems (Wellington) Ltd Date: 15 November 2012 CROWN COPYRIGHT This work is licensed under the Creative Commons Attribution 3.0 New Zealand
More informationFederated Identity Manager Business Gateway Version Configuration Guide GC
Tivoli Federated Identity Manager Business Gateway Version 6.2.1 Configuration Guide GC23-8614-00 Tivoli Federated Identity Manager Business Gateway Version 6.2.1 Configuration Guide GC23-8614-00 Note
More informationDESIGN OF WEB SERVICE SINGLE SIGN-ON BASED ON TICKET AND ASSERTION
DESIGN OF WEB SERVICE SINGLE SIGN-ON BASED ON TICKET AND ASSERTION Abstract: 1 K.Maithili, 2 R.Ruhin Kouser, 3 K.Suganya, 1,2,3 Assistant Professor, Department of Computer Science Engineering Kingston
More informationChapter 8 Web Security
Chapter 8 Web Security Web security includes three parts: security of server, security of client, and network traffic security between a browser and a server. Security of server and security of client
More informationIdentity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014
Identity management Tuomas Aura CSE-C3400 Information security Aalto University, autumn 2014 Outline 1. Single sign-on 2. SAML and Shibboleth 3. OpenId 4. OAuth 5. (Corporate IAM) 6. Strong identity 2
More informationCryptographic Concepts
Outline Identify the different types of cryptography Learn about current cryptographic methods Chapter #23: Cryptography Understand how cryptography is applied for security Given a scenario, utilize general
More informationSalesforce1 Mobile Security White Paper. Revised: April 2014
Salesforce1 Mobile Security White Paper Revised: April 2014 Table of Contents Introduction Salesforce1 Architecture Overview Authorization and Permissions Communication Security Authentication OAuth Pairing
More informationSecurity Assertions Markup Language
. Send comments to: Phillip Hallam-Baker, Senior Author 401 Edgewater Place, Suite 280 Wakefield MA 01880 Tel 781 245 6996 x227 Email: pbaker@verisign.com Security Assertions Markup Language Straw-man
More informationSEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security
SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security Consider 2. Based on DNS, identified the IP address of www.cuhk.edu.hk is 137.189.11.73. 1. Go to http://www.cuhk.edu.hk 3. Forward the
More informationNetwork Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions
CHAPTER 3 Network Security Solutions to Review Questions and Exercises Review Questions. A nonce is a large random number that is used only once to help distinguish a fresh authentication request from
More informationIBM. Security Digital Certificate Manager. IBM i 7.1
IBM IBM i Security Digital Certificate Manager 7.1 IBM IBM i Security Digital Certificate Manager 7.1 Note Before using this information and the product it supports, be sure to read the information in
More informationMajor SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007
Major SAML 2.0 Changes Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007 Tokens, Protocols, Bindings, and Profiles Tokens are requests and assertions Protocols bindings are communication
More informationINTEGRATED SECURITY SYSTEM FOR E-GOVERNMENT BASED ON SAML STANDARD
INTEGRATED SECURITY SYSTEM FOR E-GOVERNMENT BASED ON SAML STANDARD Jeffy Mwakalinga, Prof Louise Yngström Department of Computer and System Sciences Royal Institute of Technology / Stockholm University
More information(2½ hours) Total Marks: 75
(2½ hours) Total Marks: 75 N. B.: (1) All questions are compulsory. (2) Makesuitable assumptions wherever necessary and state the assumptions made. (3) Answers to the same question must be written together.
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationSOA-Tag Koblenz 28. September Dr.-Ing. Christian Geuer-Pollmann European Microsoft Innovation Center Aachen, Germany
SOA-Tag Koblenz 28. September 2007 Dr.-Ing. Christian Geuer-Pollmann European Microsoft Innovation Center Aachen, Germany WS-FooBar Buchstabensuppe WS-BusinessActivity MTOM XPath InfoSet XML WS-Management
More informationDigital Signatures. Secure Digest Functions
Digital Signatures Secure Digest Functions 8 requirements for one-way hash functions given M, H(M) is easy to compute given H(M), M is difficult to compute given M, it is difficult to find M such that
More informationContinues the Technical Activities Originated in the SyncML Initiative
SyncML Device Management Security, Version 1.1.2 Approved Version 09-December-2003 Open Mobile Alliance OMA-SyncML-DMSecurity-V1_1_2-20031209-A Continues the Technical Activities Originated in the SyncML
More informationLesson 5 Web Service Interface Definition (Part II)
Lesson 5 Web Service Interface Definition (Part II) Service Oriented Architectures Security Module 1 - Basic technologies Unit 3 WSDL Ernesto Damiani Università di Milano Controlling the style (1) The
More informationTest Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0
1 2 3 4 5 6 7 8 9 10 11 Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0 Version 3.1 Editor: Kyle Meadors, Drummond Group Inc. Abstract: This document describes the test steps to achieve
More informationWeb Services Security SOAP Messages with Attachments (SwA) Profile 1.0 Interop 1 Scenarios
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Web Services Security SOAP Messages with Attachments (SwA) Profile 1.0 Interop 1 Scenarios Working Draft 04, 21 Oct 2004 Document identifier:
More informationSecurity Digital Certificate Manager
System i Security Digital Certificate Manager Version 6 Release 1 System i Security Digital Certificate Manager Version 6 Release 1 Note Before using this information and the product it supports, be sure
More informationIdentity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011
Identity management Tuomas Aura T-110.4206 Information security technology Aalto University, autumn 2011 Outline 1. Single sign-on 2. OpenId 3. SAML and Shibboleth 4. Corporate IAM 5. Strong identity 2
More informationIntegrated Security Context Management of Web Components and Services in Federated Identity Environments
Integrated Security Context Management of Web Components and Services in Federated Identity Environments Apurva Kumar IBM India Research Lab. 4, Block C Vasant Kunj Institutional Area, New Delhi, India-110070
More informationGoal: Offer practical information to help the architecture evaluation of an SOA system. Evaluating a Service-Oriented Architecture
Evaluating a Service-Oriented Architecture Paulo Merson, SEI with Phil Bianco, SEI Rick Kotermanski, Summa Technologies May 2007 Goal: Offer practical information to help the architecture evaluation of
More informationHong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)
Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS) This document (IMPS) facilitates an organization to provide relevant information to describe how it fulfils the normative
More informationNetwork Security. Chapter 10. XML and Web Services. Part II: II: Securing Web Services Part III: Identity Federation
Network Architectures and Services, Georg Carle Faculty of Informatics Technische Universität München, Germany Network Security Chapter 10 Application Layer Security: Web Services (Part 2) Part I: Introduction
More informationRadius, LDAP, Radius, Kerberos used in Authenticating Users
CSCD 303 Lecture 5 Fall 2018 Radius, LDAP, Radius, Kerberos used in Authenticating Users Kerberos Authentication and Authorization Previously Said that identification, authentication and authorization
More informationBut where'd that extra "s" come from, and what does it mean?
SSL/TLS While browsing Internet, some URLs start with "http://" while others start with "https://"? Perhaps the extra "s" when browsing websites that require giving over sensitive information, like paying
More informationSecuring your Standards Based Services. Rüdiger Gartmann (con terra GmbH) Satish Sankaran (Esri)
Securing your Standards Based Services Rüdiger Gartmann (con terra GmbH) Satish Sankaran (Esri) Agenda What are your security goals? Access control Standards and interoperability User management and authentication
More informationCredential Mapping in Grids
Credential Mapping in Grids E S T E B A N T A L A V E R A Master of Science Thesis Stockholm, Sweden 2007 ICT/ECS-2007-33 Credential Mapping in Grids Master of Science Thesis ESTEBAN TALAVERA GONZÁLEZ
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 Single Sign on Single Service Provider Agreement, page 2 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 3 Cisco Unified Communications Applications
More informationHow to Configure Authentication and Access Control (AAA)
How to Configure Authentication and Access Control (AAA) Overview The Barracuda Web Application Firewall provides features to implement user authentication and access control. You can create a virtual
More informationIntegration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)
Integration Guide PingFederate SAML Integration Guide (SP-Initiated Workflow) Copyright Information 2018. SecureAuth is a registered trademark of SecureAuth Corporation. SecureAuth s IdP software, appliances,
More informationOverview. SSL Cryptography Overview CHAPTER 1
CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through
More informationSecurity Assertions Markup Language (SAML)
Security Assertions Markup Language (SAML) The standard XML framework for secure information exchange Netegrity White Paper PUBLISHED: MAY 20, 2001 Copyright 2001 Netegrity, Inc. All Rights Reserved. Netegrity
More informationAuthentication. Chapter 2
Authentication Chapter 2 Learning Objectives Create strong passwords and store them securely Understand the Kerberos authentication process Understand how CHAP works Understand what mutual authentication
More informationIdentity Provider for SAP Single Sign-On and SAP Identity Management
Implementation Guide Document Version: 1.0 2017-05-15 PUBLIC Identity Provider for SAP Single Sign-On and SAP Identity Management Content 1....4 1.1 What is SAML 2.0.... 5 SSO with SAML 2.0.... 6 SLO with
More informationWarm Up to Identity Protocol Soup
Warm Up to Identity Protocol Soup David Waite Principal Technical Architect 1 Topics What is Digital Identity? What are the different technologies? How are they useful? Where is this space going? 2 Digital
More informationAuthentication CHAPTER 17
Authentication CHAPTER 17 Authentication Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources. getting entrance
More informationPretty Good Privacy (PGP
PGP - S/MIME - Internet Firewalls for Trusted System: Roles of Firewalls Firewall related terminology- Types of Firewalls - Firewall designs - SET for E-Commerce Transactions. Pretty Good Privacy (PGP
More informationUNIT - IV Cryptographic Hash Function 31.1
UNIT - IV Cryptographic Hash Function 31.1 31-11 SECURITY SERVICES Network security can provide five services. Four of these services are related to the message exchanged using the network. The fifth service
More informationISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University
Identity Management and Federated ID (Liberty Alliance) ISA 767, Secure Electronic Commerce Xinwen Zhang, xzhang6@gmu.edu George Mason University Identity Identity is the fundamental concept of uniquely
More informationAuthentication & Authorization
Authentication & Authorization Anuj Gupta 1, 1 M.Tech Scholar, Department of C.F.I.S, G.I.T.A.M, Kablana, Jhajjar Ashish Kumar Sharma 2 2 Assistant Professor, Department of C.F.I.S & C.S.E, G.I.T.A.M,
More informationArcGIS Server and Portal for ArcGIS An Introduction to Security
ArcGIS Server and Portal for ArcGIS An Introduction to Security Jeff Smith & Derek Law July 21, 2015 Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context
More informationACORD Web Services Profile: 2.0 vs. 1.0
ACORD Web Services Profile: 2.0 vs. 1.0 Kevin Schipani, Serge Cayron ACORD ACORD 2009 Agenda Introduction ti to AWSP 2.0 Members views - Requirements and Use Cases Conclusion Background AWSP 1 for initial
More informationSecurity: Focus of Control. Authentication
Security: Focus of Control Three approaches for protection against security threats a) Protection against invalid operations b) Protection against unauthorized invocations c) Protection against unauthorized
More informationOneID An architectural overview
OneID An architectural overview Jim Fenton November 1, 2012 Introduction OneID is an identity management technology that takes a fresh look at the way that users authenticate and manage their identities
More informationHOST Authentication Overview ECE 525
Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication in real-time
More informationDEVELOPER GUIDE PIPELINE PILOT INTEGRATION COLLECTION 2016
DEVELOPER GUIDE PIPELINE PILOT INTEGRATION COLLECTION 2016 Copyright Notice 2015 Dassault Systèmes. All rights reserved. 3DEXPERIENCE, the Compass icon and the 3DS logo, CATIA, SOLIDWORKS, ENOVIA, DELMIA,
More informationCA SiteMinder Federation
CA SiteMinder Federation Partnership Federation Guide 12.52 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation
More informationLesson 15 SOA with REST (Part II)
Lesson 15 SOA with REST (Part II) Service Oriented Architectures Security Module 3 - Resource-oriented services Unit 1 REST Ernesto Damiani Università di Milano REST Design Tips 1. Understanding GET vs.
More informationCYBER SECURITY MADE SIMPLE
CYBER SECURITY MADE SIMPLE Author: Christopher Gorog www.logiccentral.org www.newcyberfrontier.com Christopher Gorog, MBA, PMP, CISSP Lead Faculty for Cybersecurity at Colorado Technical University; Published
More informationIBM i Version 7.2. Security Digital Certificate Manager IBM
IBM i Version 7.2 Security Digital Certificate Manager IBM IBM i Version 7.2 Security Digital Certificate Manager IBM Note Before using this information and the product it supports, read the information
More informationManaged Objects Authenticated Encryption Additional Data Authenticated Encryption Tag Certificate
Object Encoding REQUIRED Capability Information Streaming Capability Asynchronous Capability Attestation Capability Unwrap Mode Destroy Action Shredding Algorithm RNG Mode Table 4242: Capability Information
More informationInteroperability Solutions Guide for Oracle Web Services Manager 12c (12.2.1)
[1]Oracle Fusion Middleware Interoperability Solutions Guide for Oracle Web Services Manager 12c (12.2.1) E57783-01 October 2015 Documentation for software developers that describes how to implement the
More informationDistributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018
Distributed Systems 25. Authentication Paul Krzyzanowski Rutgers University Fall 2018 2018 Paul Krzyzanowski 1 Authentication For a user (or process): Establish & verify identity Then decide whether to
More informationFrom Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005
Chapter 7: Security From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design Edition 4 Introduction Security policies Provide for the sharing of resources within specified limits
More informationIdentity, Authentication and Authorization. John Slankas
Identity, Authentication and Authorization John Slankas jbslanka@ncsu.edu Identity Who or what a person or thing is; a distinct impression of a single person or thing presented to or perceived by others;
More informationSecure Sockets Layer (SSL) / Transport Layer Security (TLS)
Secure Sockets Layer (SSL) / Transport Layer Security (TLS) Brad Karp UCL Computer Science CS GZ03 / M030 20 th November 2017 What Problems Do SSL/TLS Solve? Two parties, client and server, not previously
More informationSecurity Assertion Markup Language (SAML) applied to AppGate XDP
1 Security Assertion Markup Language (SAML) applied to AppGate XDP Jamie Bodley-Scott AppGate Product Manager May 2016 version2 This document provides background on SAML for those of you who have not used
More informationNimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]
Nimsoft Service Desk Single Sign-On Configuration Guide [assign the version number for your book] Legal Notices Copyright 2012, CA. All rights reserved. Warranty The material contained in this document
More informationCS November 2018
Authentication Distributed Systems 25. Authentication For a user (or process): Establish & verify identity Then decide whether to allow access to resources (= authorization) Paul Krzyzanowski Rutgers University
More informationCryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea
Cryptography SSL/TLS Network Security Workshop 3-5 October 2017 Port Moresby, Papua New Guinea 1 History Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent
More information1 URI stands for Universal Resource Identifier.
Chapter 1. XML Security The extendible Markup Language (XML) allows organizations to agree on a common, interoperable markup for document formatting (vocabulary), and use it to exchange business documents,
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and accurate identity attributes to resources being accessed, and that Participants
More informationSystems Analysis and Design in a Changing World, Fourth Edition
Systems Analysis and Design in a Changing World, Fourth Edition Learning Objectives Discuss examples of system interfaces found in information systems Define system inputs and outputs based on the requirements
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 11 Basic Cryptography Objectives Define cryptography Describe hashing List the basic symmetric cryptographic algorithms 2 Objectives
More informationAccess Control Service Oriented Architecture
http://www.cse.wustl.edu/~jain/cse571-09/ftp/soa/index.html 1 of 13 Access Control Service Oriented Architecture Security Yoon Jae Kim, yj1dreamer AT gmail.com (A project report written under the guidance
More informationAuthentication. Katarina
Authentication Katarina Valalikova @KValalikova k.valalikova@evolveum.com 1 Agenda History Multi-factor, adaptive authentication SSO, SAML, OAuth, OpenID Connect Federation 2 Who am I? Ing. Katarina Valaliková
More informationPASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year
PASS4TEST IT Certification Guaranteed, The Easy Way! \ http://www.pass4test.com We offer free update service for one year Exam : 000-575 Title : IBM Tivoli Federated Identity Manager V6.2.2 Implementation
More informationReview of differences in SAML V2.0 from SAML V1.1 and ID-FF V1.2
Review of differences in SAML V2.0 from SAML V1.1 and ID-FF V1.2 Eve Maler 21 April 2004 Thanks to Scott and JohnK for comments (line numbers are from sstc-saml-core-08-diff-from-02) SAML V2.0 diffs in
More informationIntroduction and Overview. Why CSCI 454/554?
Introduction and Overview CSCI 454/554 Why CSCI 454/554? Get Credits and Graduate Security is important More job opportunities More research funds 1 Workload Five homework assignments Two exams (open book
More informationCombating Common Web App Authentication Threats
Security PS Combating Common Web App Authentication Threats Bruce K. Marshall, CISSP, NSA-IAM Senior Security Consultant bmarshall@securityps.com Key Topics Key Presentation Topics Understanding Web App
More information1. Federation Participant Information DRAFT
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES [NOTE: This document should be considered a as MIT is still in the process of spinning up its participation in InCommon.] Participation in InCommon
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: Concordia University of Edmonton Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that
More informationCOSC 301 Network Management. Lecture 15: SSL/TLS and HTTPS
COSC 301 Network Management Lecture 15: SSL/TLS and HTTPS Zhiyi Huang Computer Science, University of Otago COSC301 Lecture 15: SSL/TLS and HTTPS 1 Today s Focus WWW WWW How to secure web applications?
More informationConcepts of Web Services Security
Concepts of Web Services Security Session MCP/OS/MTP 4066 2:45 3:45pm, Halloween 2017 MGS, Inc. Software Engineering, Product & Services firm founded in 1986 Products and services to solve business problems:
More informationData Security and Privacy. Topic 14: Authentication and Key Establishment
Data Security and Privacy Topic 14: Authentication and Key Establishment 1 Announcements Mid-term Exam Tuesday March 6, during class 2 Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt
More informationUsing the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway
Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway Applying Application Delivery Technology to Web Services Overview The Cisco ACE XML Gateway is the newest
More informationIBM Exam C IBM Tivoli Federated Identity Manager V6.2.2 Implementation Version: 6.0 [ Total Questions: 134 ]
s@lm@n IBM Exam C2150-575 IBM Tivoli Federated Identity Manager V6.2.2 Implementation Version: 6.0 [ Total Questions: 134 ] IBM C2150-575 : Practice Test Question No : 1 What is the default file name of
More informationA Signing Proxy for Web Services Security
A Signing Proxy for Web Services Security Dr. Ingo Melzer Prof. Mario Jeckle What is a Web Service? Web Service Directory Description UDDI/WSIL WSDL Transport Content Infrastructure SOAP XML Web Service
More informationFederated Web Services with Mobile Devices
Federated Web Services with Mobile Devices Rajeev Angal Architect Sun Microsystems Pat Patterson Architect Sun Microsystems Session TS-6673 Copyright 2006, Sun Microsystems, Inc., All rights reserved.
More informationC exam. IBM C IBM WebSphere Application Server Developer Tools V8.5 with Liberty Profile. Version: 1.
C9510-319.exam Number: C9510-319 Passing Score: 800 Time Limit: 120 min File Version: 1.0 IBM C9510-319 IBM WebSphere Application Server Developer Tools V8.5 with Liberty Profile Version: 1.0 Exam A QUESTION
More informationMetadata for SAML 1.0 Web Browser Profiles
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 Metadata for SAML 1.0 Web Browser Profiles Working Draft 00, 12 November 2002 Document identifier: draft-sstc-saml-meta-data-00 Location:
More informationKey Management and Distribution
Key Management and Distribution Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/
More information